Network Intrusions, "Windows Operational System" blocked in Comodo Firewall

Hello guys, I’m new to the forum and new to the custom firewalls world. I always used windows standard firewall and always felt safe but I just formated system (too much garbage) and decided to embrace a custom firewall. I chose comodo because a lot of people say good things about it.

But there is something that is bugging me, I installed it yesterday and started getting a lot of blocked network intrusions. It was like, almost 300 in 1h30m~2h of network usage (even when pc was kind of idle).

All those connection attemps, named “Windows Operational System”, were using UDP protocol and all of them were entry connections, from different IPs (totally different, I randomly searched for 3 of them in one of those ip search sites and got the following locations: Bosnia, India and Hungary) and ports but all target the same IP (mine) and the same port (I googled about this port and according to IANA it is an unassigned port, I even used netstat to see if it was in use by anything was using it and nothing).

I tried using this: (1st option in the picture) and it seemed to work but I’m not sure it was really working or just suppressing the blockings in the log because when I selected the 2nd option in the picture I started receiving the blocks in the log again.

I am really worried about that guys, it was yesterday at night so I decided to uninstall comodo and left the pc off for 12h more or less. Just reinstalled comodo firewall (selecting all advanced options in firewall tab like filter ipv6, block fragmented ip, etc. On the first install I only had filter loopback and I’m using firewall in “safe mode”) and didn’t get this blocks again but that may be the time.

Would you mind helping me out? I’m really worried about that

Best regards.

Where you using p2p file sharing applications and closed said application then Windows Operational System is where connections go to die if their is no application waiting to pick up the phone. This happens with p2p file transfer software like torrents because they don’t waste bandwith or resources updating a list of who’s connnected/off line etc, they just send packets where a request was received from. When someone does disconnect from the transfer there will still be incoming packets, however windows will discard them since no application is waiting for those packets anymore.

This is just one possible scenario. It could also just be misconfiguration. Try exporting your logs and posting them so we can see what’s going on.

Hey aim4it, first of all thanks for the reply,

I noticed that when I opened utorrent, it went all crazy (with those attempts to connect poping up in the log even faster). What bugs me is that I didn’t have any torrents set, just opened the client. Is that normal?

And about the “Block incoming connections” in stealth ports, what it really did? It only ignored the blocks in the logs or it actually helped?

Unfortunately, the logs are gone since I reinstalled the firewall. But I took a screenshot, would that still be useful? Now I am basically using the standard configuration, plus some “tweaks” (like the filter ipv6) that I saw at the article from Chiron in tech support alert, but when it all happened I was using standard configuration.

Best regards.

Yes it normal, because torrent clients connect to a DHT(Distributed hash table) even with no .tor’s loaded, its part of how the client find Seeders & Leechers with the assistant of trackers.

You can read more here: Distributed hash table - Wikipedia

Block incoming will do what it says, it will block all incoming connections that do not meet and exception rule that allows the connection to pass.

The log viewer has an export button looks like door with an arrow pointing out. I believe it can be exported as a .html file.

Also, is it normal svchost.exe asking for entr connection (connection is from my router [default gateway] to the ip of my pc)? I got the warnings on 2 different ocasions, the first it was kind of random since I wasnt doing anything special and the 2nd happened when I changed my wifi password. I rejected both because i wanst sure what to do but some time after I rejected the 2nd I got those Windows Operational System being rejected again but this time the target ports were important ones like 21, also from some weird ips (i checked and one was from china) to the my pc ip.

I know that this might not be the correct place but, my router has a firewall option in the router config page. Should i activate it and put to filter only the ips from the machines that use it or nat is already safe enough? And if I do that and leave ports in blank, what might happen?

Thanks a lot!

Have you actually made any rules for your p2p client?

Have you set your ports?

Reading through this helped me loads:

Especially the section about Customizing Firewall Rules → System Wide Rules.

If you really like to get down with Comodo Firewall these are a great starting point and the rules described there are all still working.

To answer your question I think it is normal for svchost trying to communicate inside your system when you adjust setting between your router and your machine. Concerning port 21 request from an external IP only means that either someone also did not care to configure their p2p client or they are trying to break in. I think it is just that a lot of people do not care to configure they p2p client and send out requests on all sorts of ports. If you check the ports section in the firewall you can define rules there.

Configuring your p2p client with Comodo is done like this: though I am not sure if these rules are up to date. I would assume so since they do work for me.